#6389 [RFE] Allow client commands without enrolling
Closed: duplicate a year ago by rcritten. Opened 3 years ago by mkosek.

In some environments (like containers), it is sometimes desirable to run FreeIPA client commands without enrolling a full-blown client (and polluting FreeIPA hosts). It would be good if client could be invoked with just Kerberos ticket or a password.

Workaround: how to run service Vault without enrolling client

Preparation: prepare a clean client VM and a server VM (called ipa.rhel73 in this case) with Vault configured. Create a service (vaulttest/ipa.rhel73@RHEL73) on the server and download the keytab to the client (vaulttest.keytab).

Prepare Kerberos authentication

$ cd /etc/vaulttest
$ sudo dnf install freeipa-client freeipa-admintools
$ cat krb5.conf 
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 rdns = false
 default_realm = RHEL73
 default_ccache_name = KEYRING:persistent:%{uid}


RHEL73 = {
  kdc = ipa.rhel73
  master_kdc = ipa.rhel73
  admin_server = ipa.rhel73

 .rhel73 = RHEL73
$ export KRB5_CONFIG=/tmp/vaulttest/krb5.conf
$ kinit -kt vaulttest.keytab
$ klist
Ticket cache: KEYRING:persistent:1000:1000
Default principal: vaulttest/ipa.rhel73@RHEL73

Valid starting       Expires              Service principal
10/10/2016 09:44:30  10/11/2016 09:44:30  krbtgt/RHEL73@RHEL73
    renew until 10/17/2016 09:44:30

Prepare client configuration

$ cat default.conf 
host = None
server = ipa.rhel73
basedn = dc=rhel73
realm = RHEL73
domain = rhel73
xmlrpc_uri = https://ipa.rhel73/ipa/xml
enable_ra = True
mode = production

$ sudo cp default.conf /etc/ipa/default.conf

Prepare NSS database that client uses

$ wget -O ca.crt http://ipa.rhel73/ipa/config/ca.crt
sudo sh -c "echo randomblob > /etc/ipa/nssdb/pwdfile.txt"
sudo certutil -d /etc/ipa/nssdb/ -N -f /etc/ipa/nssdb/pwdfile.txt
sudo certutil -A -d /etc/ipa/nssdb -n 'IPA CA' -t CT,C,C -a -i ca.crt
sudo chmod 0644 /etc/ipa/nssdb/*.db
sudo chmod 0600 /etc/ipa/nssdb/pwdfile.txt
$ certutil -L -d /etc/ipa/nssdb/

Certificate Nickname                                         Trust Attributes

IPA CA                                                       CT,C,C

Test with Vault commands

$ ipa vault-add service_secret --service vaulttest/ipa.rhel73@RHEL73 --type=standard 
Added vault "service_secret"
  Vault name: service_secret
  Type: standard
  Owner services: vaulttest/ipa.rhel73@RHEL73
  Vault service: vaulttest/ipa.rhel73@RHEL73
$ echo pshhh > input.txt
$ ipa vault-archive service_secret --service vaulttest/ipa.rhel73@RHEL73 --in input.txt 
Archived data into vault "service_secret"
$ ipa vault-find --service vaulttest/ipa.rhel73@RHEL73
1 vault matched
  Vault name: service_secret
  Type: standard
  Vault service: vaulttest/ipa.rhel73@RHEL73
Number of entries returned 1
$ ipa vault-retrieve service_secret --service vaulttest/ipa.rhel73@RHEL73 --out output.txt 
Retrieved data from vault "service_secret"
$ cat output.txt 

The ipa command can store a suitable krb5.conf file in a .dotdir the first time it is run and it figures out it is not enrolled. A minimal krb5.conf file will include a list of KDCs that can be contacted the default realm etc..
The first run will require the user to specify a server name or try to discover it. after this first run the ipa command will try to see if there is a .dotdir in the home if it is run on an unenrolled client. If there is it will proceed setting the KRB5_CONFIG variable to the .dotdir/krb5.conf
It's be nice if in the same .dotdir we create also a default.conf file and a nssdir for the CA cert, then we have all the needed data for any following run.

+1 to simo's suggestion. It also eliminates the need for root.

I wonder if a user should be able to override the host settings by having their own dotdir (I don't see why not).

For discovery I think domain will be needed as well if a server isn't provided.

H: you can always explicitly specify IPA config options using the -e option of the ipa command, so this should more or less already work

Martin pointed me to this ticket a couple of days ago. I haven't had time to look into it.

My Ansible playbook and my work on a IPA vault plugin for Custodia could both benefit from such a feature. It should be possible to auto-generate all config files with just the FQDN of the server. The realm and basedn can be inferred from the domain part of the FQDN. The auto-generate script should also take an optional path to ca.crt.


  • 1e6a204 Set explicit confdir option for global contexts
  • d491625 Use env var IPA_CONFDIR to get confdir
  • c2934aa Raise errors.EnvironmentError if IPA_CONFDIR var is incorrectly used


  • 34bd2b6 Fetch correct exception in IPA_CONFDIR test


  • 1300381 Add 'env_confdir' to constants


  • fe6f2b6 scripts, tests: explicitly set confdir in the rest of server code

Metadata Update from @mkosek:
- Issue assigned to someone
- Issue set to the milestone: Future Releases

3 years ago

Metadata Update from @rcritten:
- Issue close_status updated to: duplicate
- Issue status updated to: Closed (was: Open)

a year ago

Login to comment on this ticket.